Bug 771245 - nagios-plugins-disk fails when checking /boot on RHEL6.2 boxes
Summary: nagios-plugins-disk fails when checking /boot on RHEL6.2 boxes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: el6
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Ohad Levy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-02 21:53 UTC by Brian J. Atkisson
Modified: 2017-06-29 18:17 UTC (History)
8 users (show)

Fixed In Version: nagios-plugins-2.2.1-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-29 18:17:06 UTC


Attachments (Terms of Use)

Description Brian J. Atkisson 2012-01-02 21:53:37 UTC
Description of problem:

Looks like a new selinux policy was pushed with RHEL6.2, which keeps /usr/lib64/nagios/plugins/check_disk from reading disk status on /boot, giving the following error:

DISK CRITICAL - /boot is not accessible: Permission denied 

the disk check I am using is:

command[check_boot]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /boot


Version-Release number of selected component (if applicable):
nagios-plugins-disk-1.4.14-4.el6.x86_64
RHEL 6.2 (latest)

How reproducible:

All the time.

Steps to Reproduce:
1.Update to RHEL 6.2 from RHEL6.1 in selinux enforcing mode.
2. watch the /boot check fail
3. 'setenforce 0' and it starts working again
  
Actual results:
DISK CRITICAL - /boot is not accessible: Permission denied 

Expected results:

The /boot check to succeed.

Additional info:

I generated the following selinux policy which fixes the issue, it can probably be cleaned up a bit:
-------------
module nrpe_check_disk 1.0;

require {
        type nrpe_t;
        type nagios_checkdisk_plugin_t;
        type boot_t;
        class process { siginh noatsecure rlimitinh };
        class tcp_socket { read write };
        class dir getattr;
}

#============= nagios_checkdisk_plugin_t ==============
allow nagios_checkdisk_plugin_t boot_t:dir getattr;
allow nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write };

#============= nrpe_t ==============
allow nrpe_t nagios_checkdisk_plugin_t:process { siginh rlimitinh noatsecure };
------------

I had to enable logging of all denied selinux policies to get:

type=1400 audit(1325539329.240:9795): avc:  denied  { read write } for  pid=23107 comm="check_disk" path="socket:[12409604]" dev=sockfs ino=12409604 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=unconfined_u:system_r:nrpe_t:s0 tclass=tcp_socket
type=1400 audit(1325539329.240:9796): avc:  denied  { rlimitinh } for  pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=1400 audit(1325539329.240:9797): avc:  denied  { siginh } for  pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=1400 audit(1325539329.240:9798): avc:  denied  { noatsecure } for  pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=1400 audit(1325539329.241:9799): avc:  denied  { getattr } for  pid=23107 comm="check_disk" path="/boot" dev=vda1 ino=2 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir

Comment 1 Kåre Hviid 2012-01-13 09:16:10 UTC
Unfortunately, adding boot_t:dir getattr access will only solve this problem for /boot.  The reason for the AVC denial is that check_disk will call stat() on every mount point specified via its internal stat_path() function.  For local file systems this isn't really needed if all you want to do is to check for disk size.  I tweaked the check_disk.c code to skip stat_path() by default and that appears to work fine, but there apparently are cases when you do want to use stat().

To test the full effects of SELinux on check_disk, use a line with

    command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5%

and check_disk will traverse all mount points and get an AVC denials on stat() on quite a few depending on your setup.

Comment 2 Brian J. Atkisson 2012-01-13 14:45:09 UTC
we also have bz#768055 open to come at this from selinux-policy side of things in RHEL6.

Comment 4 marianne@tuxette.fr 2015-05-26 14:32:42 UTC
Same type off issue on el7

Comment 5 Fedora Update System 2017-02-15 14:31:37 UTC
nagios-plugins-2.1.4-5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e77054bfa

Comment 6 Fedora Update System 2017-02-16 14:15:55 UTC
nagios-plugins-2.1.4-5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e77054bfa

Comment 7 Fedora Update System 2017-02-16 21:15:21 UTC
nagios-plugins-2.1.4-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b820953367

Comment 8 Fedora Update System 2017-02-17 15:30:40 UTC
nagios-plugins-2.1.4-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-994c77a4cd

Comment 9 Fedora Update System 2017-02-18 00:16:36 UTC
nagios-plugins-2.1.4-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-994c77a4cd

Comment 10 Fedora Update System 2017-02-25 21:52:45 UTC
nagios-plugins-2.2.0-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5d813cd00d

Comment 11 Fedora Update System 2017-02-25 22:27:14 UTC
nagios-plugins-2.2.0-4.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b0accaba31

Comment 12 Fedora Update System 2017-02-26 22:48:26 UTC
nagios-plugins-2.2.0-4.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b0accaba31

Comment 13 Fedora Update System 2017-03-11 00:48:00 UTC
nagios-plugins-2.2.0-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4a502a08b4

Comment 14 Fedora Update System 2017-03-11 12:47:48 UTC
nagios-plugins-2.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4a502a08b4

Comment 15 Fedora Update System 2017-03-13 13:29:52 UTC
nagios-plugins-2.2.0-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1623674064

Comment 16 Fedora Update System 2017-03-14 00:16:38 UTC
nagios-plugins-2.2.0-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1623674064

Comment 17 Fedora Update System 2017-04-21 00:16:34 UTC
nagios-plugins-2.2.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-306cbf64b0

Comment 18 Fedora Update System 2017-06-29 18:17:06 UTC
nagios-plugins-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.